CVE-2023-38692 (GCVE-0-2023-38692)
Vulnerability from cvelistv5 – Published: 2023-08-04 17:22 – Updated: 2024-10-10 15:53
VLAI?
Title
Command injection vulnerability in module management function in CloudExplorer Lite
Summary
CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading.
Severity ?
9.8 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CloudExplorer-Dev | CloudExplorer-Lite |
Affected:
< 1.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w"
},
{
"name": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java"
},
{
"name": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:cloudexplorer_lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloudexplorer_lite",
"vendor": "fit2cloud",
"versions": [
{
"lessThan": "1.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38692",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:25:51.595796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:53:49.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CloudExplorer-Lite",
"vendor": "CloudExplorer-Dev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T17:22:39.567Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w"
},
{
"name": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java"
},
{
"name": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1"
}
],
"source": {
"advisory": "GHSA-7wrc-f42m-9v5w",
"discovery": "UNKNOWN"
},
"title": "Command injection vulnerability in module management function in CloudExplorer Lite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38692",
"datePublished": "2023-08-04T17:22:39.567Z",
"dateReserved": "2023-07-24T16:19:28.364Z",
"dateUpdated": "2024-10-10T15:53:49.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fit2cloud:cloudexplorer_lite:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.3.1\", \"matchCriteriaId\": \"A35B9D5D-A475-444B-B6CE-C9E9BA60C503\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading.\"}, {\"lang\": \"es\", \"value\": \"CloudExplorer Lite es una plataforma de gesti\\u00f3n de nubes ligera y de c\\u00f3digo abierto. Las versiones anteriores a la 1.3.1 contienen una vulnerabilidad de inyecci\\u00f3n de comandos en la funci\\u00f3n de instalaci\\u00f3n en la gesti\\u00f3n de m\\u00f3dulos. La vulnerabilidad se ha corregido en la versi\\u00f3n 1.3.1. No hay soluciones conocidas aparte de la actualizaci\\u00f3n.\"}]",
"id": "CVE-2023-38692",
"lastModified": "2024-11-21T08:14:04.103",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-08-04T18:15:14.203",
"references": "[{\"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-38692\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-08-04T18:15:14.203\",\"lastModified\":\"2024-11-21T08:14:04.103\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading.\"},{\"lang\":\"es\",\"value\":\"CloudExplorer Lite es una plataforma de gesti\u00f3n de nubes ligera y de c\u00f3digo abierto. Las versiones anteriores a la 1.3.1 contienen una vulnerabilidad de inyecci\u00f3n de comandos en la funci\u00f3n de instalaci\u00f3n en la gesti\u00f3n de m\u00f3dulos. La vulnerabilidad se ha corregido en la versi\u00f3n 1.3.1. No hay soluciones conocidas aparte de la actualizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fit2cloud:cloudexplorer_lite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.3.1\",\"matchCriteriaId\":\"A35B9D5D-A475-444B-B6CE-C9E9BA60C503\"}]}]}],\"references\":[{\"url\":\"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Command injection vulnerability in module management function in CloudExplorer Lite\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-78\", \"lang\": \"en\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\"}, {\"name\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\"}, {\"name\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\"}], \"affected\": [{\"vendor\": \"CloudExplorer-Dev\", \"product\": \"CloudExplorer-Lite\", \"versions\": [{\"version\": \"\u003c 1.3.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-08-04T17:22:39.567Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading.\"}], \"source\": {\"advisory\": \"GHSA-7wrc-f42m-9v5w\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:46:56.604Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/security/advisories/GHSA-7wrc-f42m-9v5w\"}, {\"name\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java\"}, {\"name\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/releases/tag/v1.3.1\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-38692\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-10T15:25:51.595796Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:fit2cloud:cloudexplorer_lite:*:*:*:*:*:*:*:*\"], \"vendor\": \"fit2cloud\", \"product\": \"cloudexplorer_lite\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.3.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-10T15:48:58.261Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-38692\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-07-24T16:19:28.364Z\", \"datePublished\": \"2023-08-04T17:22:39.567Z\", \"dateUpdated\": \"2024-10-10T15:53:49.644Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…